Back

Prompt Injection Vulnerability in GitHub Actions AI Agents Exposes API Keys

Severity: High (Score: 73.5)

Sources: docs.github.com, Theregister, oddguan.com, github.com

Summary

Security researchers have discovered a prompt injection vulnerability affecting three AI agents integrated with GitHub Actions: Anthropic's Claude Code Security Review, Google's Gemini CLI Action, and Microsoft's GitHub Copilot. By crafting malicious pull request titles or issue bodies, attackers can manipulate these agents into executing unauthorized commands, leading to the leakage of sensitive API keys and access tokens. The researchers, including Aonan Guan from Johns Hopkins University, validated the attack and received bug bounties from the vendors, but none have issued public advisories or CVEs. This vulnerability is particularly concerning as it operates entirely within GitHub, with no external infrastructure required. The CVSS score for the vulnerability has been rated as 9.4, indicating a critical severity level. The researchers warn that users may remain unaware of their exposure if advisories are not published. The attack method could potentially affect other AI agents that interact with GitHub Actions. Current status indicates that the vendors have not yet responded to inquiries regarding the issue. Key Points: • Three AI agents in GitHub Actions are vulnerable to prompt injection attacks. • Attackers can steal API keys and access tokens by manipulating pull request titles. • Vendors have not issued public advisories or CVEs despite the critical nature of the vulnerability.

Key Entities

  • Data Breach (attack_type)
  • Anthropic (company)
  • Google (company)
  • Microsoft (company)
  • T1041 - Exfiltration Over C2 Channel (mitre_attack)
  • T1059 - Command and Scripting Interpreter (mitre_attack)
  • T1071 - Application Layer Protocol (mitre_attack)
  • Claude Code Security Review (platform)
  • Gemini CLI Action (platform)
  • GitHub (platform)
  • Google Gemini CLI Action (platform)
  • GitHub Actions (tool)
  • GitHub Copilot (tool)
  • base64 (tool)
  • Bash (tool)
  • Cat (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed